After reading about Dan Rosenberg’s bootloader exploit for the Samsung Galaxy S 4, I figured it would not be long before someone would craft a package for loading custom ROMs. Of course, I shouldn’t be surprised that Dan is the one who figured it out.
You may know him better as XDA Recognized Developer Djrbliss. In his original thread, you’ll learn about the Loki package he put together to load custom recovery and ROM images into AT&T and Verizon variants of the GS4. The device must already be rooted, but he links to guides that can walk you through that as well.
There are a couple of caveats to the exploit. The first is that it will be very easy for the carriers to patch against it, so avoid OTA updates unless you know they don’t contain a patch. The second is that the Loki package is intended for developers, which means it’s not just a one-click operation. Having looked through the code repositories, it does look like a very straightforward set of command line operations, so don’t be scared off either.
The exploit side steps the signature check when the phone launches a ROM. Dan found it when looking at the phones aboot partition. Searching for some of the strings found in his disassembly, he discovered it’s nearly identical to the Little Kernel open source bootloader. This made it significantly easier to figure out how the boot process works. It turns out that the signature check function is written to memory during the boot process. His exploit overwrites this code to return a confirmation that the ROM is signed even though it is not._________